linux-stable-rt/drivers/char/ipmi
Heikki Orsila 3fb0cb5d0f [PATCH] Open IPMI BT overflow
I was looking into random driver code and found a suspicious looking
memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1:

	if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH))
		return -1;
	...
	memcpy(bt->write_data + 3, data + 1, size - 1);

where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH.  It looks like the
memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH.  A patch
attached to limit size to (IPMI_MAX_LENGTH - 2).

Cc: Corey Minyard <minyard@acm.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-04-19 09:13:52 -07:00
..
Kconfig
Makefile
ipmi_bt_sm.c
ipmi_devintf.c
ipmi_kcs_sm.c
ipmi_msghandler.c
ipmi_poweroff.c
ipmi_si_intf.c
ipmi_si_sm.h
ipmi_smic_sm.c
ipmi_watchdog.c